To provide for the facilitation and
regulation of electronic communications and transactions; to provide
for
the development of a national e-strategy for the Republic; to promote
universal access to electronic communications and transac­tions and
the use of electronic transactions by SMMEs; to provide for human
resource development in electronic transactions; to prevent abuse of
information systems; to encourage the use of e-government services; and
to provide for matters connected therewith.

BE IT ENACTED by the Parliament of the Republic of South Africa, as
follows:­—

In this Act, unless the context
indicates otherwise­—"addressee",
in respect of a data message,
means a person who is
intended by the originator to receive the data
message, but not a person acting as an intermediary in respect of that data message;"advanced electronic
signature" means an electronic
signature which results from a process which
has been accredited by the Authority as provided for in section
37;"authentication
products or services" means products or services designed to
identify
the holder of an electronic signature
to other persons;"authentication
service provider" means a person whose authentication products or
services have
been accredited by the Accreditation Authority under section
37 or recognised under section 40;"Authority"
means the .za Domain Name
Authority;"automated transaction" means
an electronic transaction conducted or
performed, in whole or in part,
by means of data messages in which the
conduct or data messages of one or both
parties are not reviewed by a natural person in the ordinary course of
such natural person's business or employment;"browser"
means a computer program which
allows a person to read hyperlinked
data messages;
"cache" means high speed memory that stores data for relatively short periods of time, under computer
control, in order to speed up data transmission or
processing;"ccTLD"
means country code domain at the top
level of the Internet's domain name system assigned according
to the two-letter
codes in the International Standard ISO 3166-1 (Codes for
Representation
of Names of Countries and their Subdivision);"certification
service provider" means a person
providing an authentication
product or
service in the form of a digital certificate attached to,
incorporated in or logically associated with a data
message;"consumer"
means any natural person who
enters or intends entering into an electronic transaction
with a supplier as the end user of the goods or services offered by
that
supplier;"Consumer Affairs
Committee" means the Consumer Affairs Committee estab­lished
by
section 2 of the Consumer Affairs (Unfair Business Practices) Act, 1988
(Act No. 71 of 1988);"critical
data" means data
that is declared by the Minister in terms of section 53 to be
of importance to the protection of the national security of the
Republic
or the economic and social well-being of its citizens;"critical
database" means a
collection of critical data in electronic
form from where it may be
accessed, reproduced or extracted;"critical database
administrator" means the person
responsible for
the manage­ment and control of a critical
database;"cryptography product" means
any product that makes use of cryptographic techniques and is used by a
sender or recipient of data messages for
the purposes of ensuring­—

(a) that such data
can be accessed only by relevant persons;
(b) the authenticity of the data;
(c) the integrity of the data; or
(d) that the source of the data can be correctly
ascertained;

"cryptography provider" means
any person who provides or who proposes to
provide cryptography services or
products in
the Republic;"cryptography service" means
any service which is provided to a sender or a recipient of a data message or to anyone storing a data message, and which is designed to
facilitate the use of cryptographic techniques for the purpose of
ensuring­—

"cyber
inspector" means an
inspector referred to in Chapter XII;"data"
means electronic representations of
information in any form;"data
controller" means any person who
electronically requests, collects,
collates, processes or stores personal
information from or in respect
of a data subject;"data
message" means data
generated, sent, received or stored by electronic means and
includes­—

"data
subject" means any natural
person from or in respect of whom personal
information has been requested, collected, collated, processed or
stored, after the commencement of this Act;"Department"
means the Department of
Communications;"Director-General"
means the
Director-General of the Department;"domain
name" means an alphanumeric
designation that is registered or assigned in respect of an electronic
address or other resource on the Internet;"domain
name system" means a
system to translate domain names into IP addresses or other information;"e-government services" means
any public service provided by electronic means by any public body in the
Republic;"electronic
agent" means a
computer program or an electronic or other automated means used
independently to initiate an action or respond to data messages or performances in whole or in
part, in an automated transaction;"electronic communication"
means a communication by means of data messages;"electronic signature" means data attached to, incorporated in, or logically
associated with other data and which is intended
by
the user to serve as a signature;"e-mail"
means electronic mail, a data message used
or intended to be used as a
mail message between the originator and addressee in an electronic communica­tion;"home
page" means the primary entry point web page
of a web site;"hyperlink"
means a reference or link
from some point in one data message
directing a browser or
other technology or functionality to another data
message or point therein or to another place in the same data message;
"ICANN" means the Internet
Corporation for Assigned Names and Numbers,
a California non-profit public benefit corporation established in terms
of the laws of the state of California in the United States of America;"information
system" means a
system for generating, sending, receiving, storing, displaying or
otherwise processing data messages and
includes the Internet;"information system
services" includes the provision of connections, the operation
of
facilities for information systems,
the provision of access to information
systems, the transmission
or routing of data messages between or
among points specified by a user and the processing and storage of data, at the individual request of the recipient of
the service;"intermediary"
means a person who, on behalf of another person,
whether as agent or not, sends, receives or stores a particular data message or provides other services with
respect to that data message;"Internet"
means the interconnected system
of networks that connects computers around the world using the TCP/IP and includes future
versions thereof;"IP
address" means the number
identifying the point of connection of a computer or other device to
the Internet;"Minister"
means the Minister of
Communications;"originator"
means a person
by whom, or on whose behalf, a data message
purports to have been sent or generated prior to storage, if any, but
does not include a person acting as an intermediary with respect to that data message;"person"
includes a public
body;"personal information" means
information about an identifiable individual, including, but not
limited
to­—

(a) information relating to the
race, gender, sex, pregnancy, marital status, national, ethnic or
social
origin, colour, sexual orientation, age, physical or mental health,
well-being, disability, religion, conscience, belief, culture, language
and birth of the individual;
(b) information relating to the education or the medical, criminal or
employment history of the individual or information relating to
financial transactions in which the individual has been involved;
(c) any identifying number, symbol, or other particular assigned to the
individual;
(d) the address, fingerprints or blood type of the individual;
(e) the personal opinions, views or preferences of the individual,
except where they are about another individual or about a proposal for
a
grant, an award or a prize to be made to another individual;
(f) correspondence sent by the individual that is implicitly or
explicitly of a private or confidential nature or further
correspondence
that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the individual;
(h) the views or opinions of another individual about a proposal for a
grant, an award or a prize to be made to the individual, but excluding
the name of the other individual where it appears with the views or
opinions of the other individual; and
(i) the name of the individual where it appears with other personal information relating to the
individual or where the disclosure of the name itself would reveal
information about the individual,

but excludes information about an individual who has been dead for more
than 20 years;"prescribe"
means prescribe by regulation
under this Act;"private
body" means­—

(a) a natural person who carries
or has carried on any trade, business or profession, but only in such
capacity;
(b) a partnership which carries or has carried on any trade, business
or profession; or
(c) any former or existing juristic person,

­(a) any department of state
or administration in the national or provincial sphere of government or
any municipality in the local sphere of government; or
(b) any other functionary or institution when—

­(i) exercising a power or
performing a duty in terms of the Constitution or a provincial
constitution; or
(ii) exercising a power or performing a function in terms of any
legislation;

"registrant"
means an applicant for or
holder of a domain name;"registrar"
means an entity which is
licensed by the Authority
to update a repository;"registry"
means an entity licensed by the Authority to
manage and administer a specific subdomain;"repository"
means the primary register
of the information maintained by a registry;"second level domain" means the subdomain immediately following the ccTLD;"SMMEs"
means Small, Medium and Micro
Enterprises contemplated in the Schedules to the Small Business
Development Act, 1996 (Act No. 102 of 1996);"subdomain"
means any subdivision of the .za
domain name space which begins at the second level domain;"TCP/IP"
means the Transmission Control
Protocol Internet Protocol used by an information
system to connect to the Internet;
"TLD" means a top level domain
of the domain
name system;"third
party", in relation to a service
provider, means a subscriber to the service provider's services or any
other user of the service provider's services or a user of information systems;"transaction"
means a transaction of
either a commercial or non-commercial nature, and includes the
provision
of information and e-government
services;"universal
access" means access by
all citizens of the Republic to Internet
connectivity and electronic transactions;
"WAP" means Wireless
Application Protocol, an open international
standard developed by the Wireless Application Protocol Forum Limited,
a
company incorporated in terms of the laws of the United Kingdom, for
applications that use wireless communication and includes Internet access from a mobile phone;"web page"
means a data
message on the World Wide Web;"web site"
means any location on the Internet containing
a home
page or web page;"World
Wide Web" means an
information browsing framework that allows a user to locate and access
information stored on a remote computer and to follow references from
one computer to related information on another computer; and".za domain name space" means
the .za ccTLD assigned to the Republic according
to
the two-letter codes in the International Standard ISO 3166-1.

­(a) recognise the
importance
of the information economy for the economic and social prosperity of
the
Republic;
(b) promote universal access primarily in underserviced areas;
(c) promote the understanding and, acceptance of and growth in the
number of electronic transactions in the
Republic;
(d) remove and prevent barriers to electronic
communications and transactions in the
Republic;
(e) promote legal certainty and confidence in respect of electronic communica­tions
and transactions;
(f) promote technology neutrality in the application of legislation to electronic communications and transactions;
(g) promote e-government services
and electronic communications
and transac­tions with public and private bodies, institutions and
citizens;
(h) ensure that electronic transactions in
the Republic conform to the highest international standards;
(i) encourage investment and innovation in respect of electronic transactions in the Republic;
(j) develop a safe, secure and effective environment for the consumer, business and
the Government to conduct and use electronic transactions;
(k) promote the development of electronic transactions
services which are responsive to the needs of users and consumers;
(l) ensure that, in relation to the provision of electronic transactions services, the special needs of
particular communities and, areas and the disabled are duly taken into
account;
(m) ensure compliance with accepted International technical standards
in the provision and development of electronic
communications and transactions;
(n) promote the stability of electronic transactions
in the Republic;
(o) promote the development of human resources in the electronic transactions environment;
(p) promote SMMEs within the
electronic transactions environment;
(q) ensure efficient use and management of the .za domain name space; and
(r) ensure that the national interest of the Republic is not
compromised through the use of electronic
communications.

Interpretation

3.

This Act must not be interpreted
so as to exclude any statutory law or the common law from being applied
to, recognising or accommodating electronic transactions,data messages or any other matter provided
for in this Act.

Sphere
of application

4.

(1) Subject to any contrary
provision in this section, this Act applies in respect of any
electronic transaction or data
message.
(2) This Act must not be construed as­—

(a) requiring any person to generate, communicate, produce, process,
send, receive, record, retain, store or display any information,
document or signature by or in electronic form; or
(b) prohibiting a person from establishing
requirements in respect of the manner in which that person
will accept data messages.

(3) The sections of this Act mentioned in Column B of Schedule 1 do not apply to the laws mentioned
in
Column A of that Schedule.
(4) This Act must not be construed as giving validity to any transaction mentioned in Schedule
2.
(5) This Act does not limit the operation of any law that expressly
authorises, prohibits or regulates the use of data
messages, including any requirement by or under a law for
information to be posted or displayed in a specified manner, or for any
information or document to be transmitted by a specified method.

CHAPTER IIMAXIMISING
BENEFITS AND POLICY FRAMEWORK

Part 1

National
e-strategy

National
e-strategy

5.

(1) The Minister
must, within 24 months after the promulgation of this Act, develop a
three-year national e-strategy for the Republic, which must be
submitted
to the Cabinet for approval.
(2) The Cabinet must, on acceptance of the national e-strategy, declare
the implementation of the national e-strategy as a national priority.
(3) The Minister, in developing the national
e-strategy as envisaged in subsection (1)—

­(a) must determine all
matters involving e-govemment services in consultation with the
Minister
for the Public Service and Administration;
(b) must determine the roles of each person,
entity or sector in the implementation of the national e-strategy;
(c) must act as the responsible Minister for
co-ordinating and monitoring the implementation of the national
e-strategy;
(d) may make such investigations as he or she may consider necessary;
(e) may conduct research into and keep abreast of developments relevant
to electronic communications
and transactions in the Republic and
internation­ally;
(f) must continually survey and evaluate the extent to which the
objectives of the national e-strategy have been achieved;
(g) may liaise, consult and cooperate with public bodies, the private
sector or any other person; and
(h) may, in consultation with the Minister of Finance, appoint experts
and other consultants on such conditions as the Minister
may determine.

(4)

(a) The Minister
must, in consultation with other members of the Cabinet, determine the
subject matters to be addressed in the national e-strategy and the
principles that must govern the implementation thereof.
(b) Prior to prescribing any subject matter and principles provided for
in paragraph (a), the Minister must invite
comments from all interested parties by notice in the Gazette and consider any comments
received.
(c) The national e-strategy must, amongst others, set out­—

(i) the electronic transactions strategy of the Republic,
distinguishing between regional, national, continental and
international
strategies;
(ii) programmes and means to achieve universal
access, human resource development and development of SMMEs as provided for in this Part;
(iii) programmes and means to promote the overall readiness of the
Republic in respect of electronic transactions;
(iv) ways to promote the Republic as a preferred provider and user of
electronic transactions in the
international
market;
(v) existing government initiatives directly or indirectly relevant to
or impacting on the national e-strategy and, if applicable, how such
initiatives are to be utilised in attaining the objectives of the
national e-strategy;
(vi) the role expected to be performed by the private sector in the
implementation of the national e-strategy and how government can
solicit
the participation of the private sector to perform such role;
(vii) the defined objectives, including time frames within which the
objectives are to be achieved; and
(viii) the resources required to achieve the objectives provided for in
the national e-strategy.

(5) Upon approval by the Cabinet, the Minister
must publish the national e-strategy in the Gazette.
(6) For purposes of achieving the objectives of the national
e-strategy, the Minister may, in consultation
with the Minister of Finance­—

(a) procure funding from sources
other than the State;
(b) allocate funds for implementation of the national e-strategy to
such institutions and persons as are responsible
for delivery in terms of the national e-strategy and supervise the
execution of their mandate; and
(c) take any steps necessary to enable all relevant parties to carry
out their respective obligations.

(7) The Minister must annually report to the
Cabinet on progress made and objectives
achieved or outstanding and may include any other matter the Minister deems relevant.
(8) The Minister must annually review the
national e-strategy and where necessary make amendments thereto in
consultation with all relevant members of the Cabinet.
(9) No amendment or adaptation of the national e-strategy is effective
unless approved by the Cabinet.
(10) The Minister must publish any material
revision of the national e-strategy in the Gazette.
(11) The Minister must table an annual report
in Parliament regarding the progress made in the implementation of the
national e-strategy.

Universal
access

6.

In respect of universal access, the national e-strategy
must outline strategies and programmes to­—

(a) provide Internet
connectivity to disadvantaged communities;
(b) encourage the private sector to initiate schemes to provide universal access;
(c) foster the adoption and use of new technologies for attaining universal access; and
(d) stimulate public awareness, understanding and acceptance of the
benefits of Internet connectivity and
electronic
transacting.

Previously
disadvantaged persons and communities

7.

The Minister,
in developing the national e-strategy, must provide for ways of
maximising the benefits of electronic transactions
to historically disadvantaged persons and
communities, including, but not limited to­—

(a) making facilities and
infrastructure available or accessible to such persons
and communities to enable the marketing and sale of their goods or
services by way of electronic transactions;
(b) providing or securing support services for such facilities and
infrastructure to assist with the efficient execution of electronic transactions; and
(c) rendering assistance and advice to such persons
and communities on ways to adopt and utilise electronic transactions efficiently.

Development of human
resources

8.

(1) The Minister,
in developing the national e-strategy, must provide for ways of
promoting development of human resources set out in this section within
the context of the government's integrated human resource development
strategies, having regard to structures and programmes that have been
established under existing laws.
(2) The Minister must consult with the
Ministers of Labour and Education on existing facilities, programmes
and
structures for education, training and human resource development in
the
information technology sector relevant to the objects of this Act.
(3) Subject to subsections (1) and (2), the Minister
must promote skills development in the areas of—

­(a) information technology
products and services in support of electronic transactions;
(b) business strategies for SMMEs and other
businesses to utilise electronic transactions;
(c) sectoral, regional, national, continental and international policy
formulation for electronic transactions;
(d) project management on public and private sector implementation of
electronic transactions;
(e) the management of the .za domain
name space;
(f) the management of the IP address system
for the African continent in consultation with other African states;
(g) convergence between communication technologies affecting electronic
trans­actions;
(h) technology and business standards for electronic transactions;
(i) education on the nature, scope, impact, operation, use and benefits
of electronic transactions; and
(j) any other matter relevant to electronic transactions.

SMMEs

9.

The Minister
must, in consultation with the Minister of Trade and Industry, evaluate
the adequacy of any existing processes, programmes and infrastructure
providing for the utilisation by SMMEs of
electronic transactions and, pursuant to
such evaluation, may­—

(a) establish or facilitate the
establishment of electronic
communication centres for SMMEs;
(b) facilitate the development of web sites or
web site portals that will enable SMMEs
to transact electronically and obtain information about markets,
products and technical assistance; and
(c) facilitate the provision of such professional and expert assistance
and advice to SMMEs on ways to utilise electronic
transacting efficiently for their development.

­(a) act in consultation
with
members of the Cabinet directly affected by such policy formulation or
the consequences thereof;
(b) have due regard to­—

(i) the objects of this Act;
(ii) the nature, scope and impact of electronic transactions;
(iii) international best practice and conformity with the law and
guidelines of other jurisdictions and international bodies; and
(iv) existing laws and their administration in the Republic.

(3) The Minister must publish policy
guidelines
in the Gazette on issues
relevant to electronic transactions in the
Republic.
(4) In implementing this Chapter, the Minister
must encourage the development of innovative information systems and the growth of
related industry.

CHAPTER IIIFACILITATING
ELECTRONIC TRANSACTIONS

Part 1

Legal requirements for
data messages

Legal recognition of
data messages

11.

(1) lnformation is not without
legal force and effect merely on the grounds that it is wholly or
partly
in the form of a data message.
(2) Information is not without legal force and effect merely on the
grounds that it is not contained in the data
message purporting to give rise to such legal force and effect, but
is merely referred to in such data message.
(3) Information incorporated into an agreement and that is not in the
public domain is regarded as having been incorporated into a data message if such information is­—

(a) referred to in a way in
which
a reasonable person would have noticed the
reference thereto and incorporation thereof; and
(b) accessible in a form in which it may be read, stored and retrieved
by the other party, whether electronically or as a computer printout as
long as such information is reasonably capable of being reduced to
electronic form by the party incorporating it.

Writing

12.

A requirement in law that a
document or Information must be in writing is met if the document or
Information is­—

(a) in the form of a data message; and
(b) accessible in a manner usable for subsequent reference.

­(a) a method is used to
identify the person and to indicate the person's approval of the information communicated;
and
(b) having regard to all the relevant circumstances at the time the
method was used, the method was as reliable as was appropriate for the
purposes for which the information was communicated.

­(a) it is in the form of a data message; or
(b) it is not evidenced by an electronic
signature but is evidenced by other means from which such person's intent or other statement can be inferred.

Original

14.

(1) Where a law requires
information to be presented or retained in its original form, that
requirement is met by a data message if—

­(a) the integrity of the
information from the time when it was first generated in its final form
as a data message or otherwise has passed
assessment in terms of subsection (2); and
(b) that information is capable of being displayed or produced to the person to whom it is to be presented.

(2) For the purposes of subsection 1(a), the integrity must be
assessed­—

(a) by considering whether the
information has remained complete and unaltered, except for the
addition
of any endorsement and any change which arises in the normal course of
communication, storage and display;
(b) in the light of the purpose for which the information was
generated; and
(c) having regard to all other relevant circumstances.

Admissibility
and evidential weight of data messages

15.

(1) In any legal proceedings,
the rules of evidence must not be applied so as to deny the
admissibility of a data message, in
evidence­—

(a) on the mere grounds that it
is constituted by a data message; or
(b) if it is the best evidence that the person
adducing it could reasonably be expected to obtain, on the grounds that
it is not in its original form.

(2) Information in the form of a data message
must be given due evidential weight.
(3) In assessing the evidential weight of a data
message, regard must be had to­—

(a) the reliability of the
manner
in which the data message was generated,
stored or communicated;
(b) the reliability of the manner in which the integrity of the data message was maintained;
(c) the manner in which its originator was
identified; and
(d) any other relevant factor.

(4) A data message made by a person in the ordinary course of business, or a
copy
or printout of or an extract from such data
message certified to be correct by an officer in the service of
such person, is on its mere production in any
civil,
criminal, administrative or disciplinary proceedings under any law, the
rules of a self regulatory organisation or any other law or the common
law, admissible in evidence against any person
and
rebuttable proof of the facts contained in such record, copy, printout
or extract.

Retention

16.

(1) Where a law requires
information to be retained, that requirement is met by retaining such
information in the form of a data message,
if—

­(a) the information
contained in the data message is
accessible
so as to be usable for subsequent reference;
(b) the data message is in the format in
which it was generated, sent or received, or in a format which can be
demonstrated to represent accurately the
information generated, sent or received; and
(c) the origin and destination of that data
message and the date and time it was sent or received can be
determined.

(2) The obligation to retain information as contemplated in subsection
(1) does not extend to any information the sole purpose of which is to
enable the message to be sent or received.

Production of
document or information

17.

(1) Subject to section
28, where a law requires a person to produce
a document or information, that requirement is met if the person produces, by means of a data message, an electronic form of that
document or information, and if­—

(a) considering all the relevant
circumstances at the time that the data message
was sent, the method of generating the electronic form of that document
provided a reliable means of assuring the maintenance of the integrity
of the information contained in that document; and
(b) at the time the data message was sent,
it was reasonable to expect that the information contained therein
would
be readily accessible so as to be usable for subsequent reference.

(2) For the purposes of subsection (1), the integrity of the
information contained in a document is maintained if the information
has
remained complete and unaltered, except for­—

(a) the addition of any
endorsement; or
(b) any immaterial change, which arises in the normal course of
communication, storage or display.

Notarisation,
acknowledgement and certification

18.

(1) Where a law requires a
signature, statement or document to be notarised, acknowledged,
verified
or made under oath, that requirement is met if the advanced electronic signature
of the person authorised to perform those acts
is
attached to, incorporated in or logically associated with the electronic signature or data message.
(2) Where a law requires or permits a person to
provide a certified copy of a document and the document exists in
electronic form, that requirement is met if the person
provides a print-out certified to be a true reproduction of the
document
or information.
(3) Where a law requires or permits a person to
provide a certified copy of a document and the document exists in paper
or other physical form, that requirement is met if an electronic copy
of
the document is certified to be a true copy thereof and the
certification is confirmed by the use of an advanced electronic signature.

Other
requirements

19.

(1) A requirement in a law for
multiple copies of a document to be submitted to a single addressee at the same time, is satisfied by the
submission of a single data message that
is
capable of being reproduced by that addressee.
(2) An expression in a law, whether used as a noun or verb, including
the terms "document", "record", "file", "submit", "lodge", "deliver",
"issue", "publish", "write in", "print" or words or expressions of
similar effect, must be interpreted so as to include or permit such
form, format or action in relation to a data
message unless otherwise provided for in this Act.
(3) Where a seal is required by law to be affixed to a document and
such law does not prescribe
the method or form by which such document may be sealed by electronic
means, that requirement is met if the document indicates that it is
required to be under seal and it includes the advanced electronic signature
of the person by whom it is required to be
sealed.
(4) Where any law requires or permits a person
to
send a document or information by registered or certified post or
similar service, that requirement is met if an electronic copy of the
document or information is sent to the South African Post Office
Limited, is registered by the said Post Office and sent by that Post
Office to the electronic address provided by the sender.

­(a) an agreement may be
formed where an electronic agent performs an action required by law for
agreement formation;
(b) an agreement may be formed where all parties to a transaction or either one of them uses an electronic agent;
(c) a party using an electronic agent
to form an agreement is, subject to paragraph (d), presumed to be bound
by the terms of that agreement irrespective of whether that person reviewed the actions of the electronic agent or the terms of the
agreement;
(d) A party interacting with an electronic
agent to form an agreement is not bound by the terms of the
agreement unless those terms were capable of being reviewed by a
natural
person representing that party prior to agreement formation.
(e) no agreement is formed where a natural person interacts directly
with the electronic agent of another person and has made a material error during the
creation of a data message and­—

(i) the electronic agent did not provide that person with an opportunity to prevent or correct
the
error;
(ii) that person notifies the other person of the error as soon as practicable after
that person has learned of it;
(iii) that person takes reasonable steps,
including steps that conform to the other person's
instructions to return any performance received, or, if
instructed to do so, to destroy that performance; and
(iv) that person has not used or received any
material benefit or value from any performance received from the other person.

Part 2

Communication of data
messages

Variation by
agreement between parties

21.

This Part only applies if the
parties involved in generating, sending, receiving, storing or
otherwise
processing data messages have not reached
agreement on the issues provided for therein.

Formation and validity
of agreements

22.

(1) An agreement is not without
legal force and effect merely because it was concluded partly or in
whole by means of data messages.
(2) An agreement concluded between parties by means of data messages is concluded at the time when
and place where the acceptance ofthe offer was received by the offeror.

(a) accepts the filing of
documents, or requires that documents be created or retained;
(b) issues any pennit, licence or approval; or
(c) provides for a manner of payment,

may, notwithstanding anything to the contrary in such law—

­(i) accept the filing of
such documents, or the creation or retention of such documents in the
fonn of data messages;
(ii) issue such pennit, licence or approval in the fonn of a data message; or
(iii) make or receive payment in electronic form or by electronic means.

Requirements
may be specified

28.

(1) In any case where a public body perfonns any of the functions
referred to in section 27, such body may specify by
notice in the Gazette—

(a) from premises in the
Republic;
(b) to a person who is present in the Republic
when that person makes use of the service or
product; or
(c) to a person who uses the service or product
for the purposes of a business carried on in the Republic or from
premises in the Republic.

Restrictions
on disclosure of information

31.

(1) Information contained in the
register provided for in section 29 must not be
disclosed to any person other than to employees
of
the Department who are responsible for the
keeping of the register.
(2) Subsection (1) does not apply in respect of information which is
disclosed—

(a) to a relevant authority
which
investigates a criminal offence or for the purposes of any criminal
proceedings;
(b) to government agencies responsible for safety and security in the
Republic, pursuant to an official request;
(c) to a cyber inspector;
(d) pursuant to section 11 or 30 of the Promotion of Access to
Information Act, (Act No.2 of 2000); or
(e) for the purposes of any civil proceedings which relate to the
provision of cryptography services
or cryptography products and to
which a cryptography provider is
a
party.

Application of Chapter
and offences

32.

(1) The provisions of this
Chapter do not apply to the National Intelligence Agency established in
terms of section 3 of the Intelligence Services Act, 1994 (Act No. 38
of
1994).
(2) A person who contravenes or fails to comply
with a provision of this Chapter is guilty of an offence and liable on
conviction to a fine or to imprisonment for a period not exceeding two
years.

(1) For the purposes of this
Chapter the Director-General must act
as
the Accreditation Authority.
(2) The Accreditation Authority, after consultation with the Minister, may appoint employees of the Department as Deputy Accreditation Authorities
and officers.

(a) is uniquely linked to the
user;
(b) is capable of identifying that user;
(c) is created using means that can be maintained under the sole
control of that user; and
(d) will be linked to the data or data message to which it relates in such a
manner that any subsequent change of the data or data message is detectable;
(e) is based on the face-to-face identification of the user.

(a) Its financial and human
resources, including its assets;
(b) the quality of its hardware and software systems;
(c) its procedures for processing of products or services;
(d) the availability of information to third parties relying on the authentication product or
service;
(e) the regularity and extent of audits by an independent body;
(f) the factors referred to in subsection (4) where the products and
services are rendered by a certification
service provider; and
(g) any other relevant factor which may be prescribed.

(3) For the purposes of subsections (2)(b) and (c), the hardware and
software systems and procedures must at least­—

(a) be reasonably secure from
intrusion and misuse;
(b) provide a reasonable level of availability, reliability and correct
operation;
(c) be reasonably suited to performing their intended functions; and
(d) adhere to generally accepted security procedures.

(a) the technical and other
requirements which certificates must meet;
(b) the requirements for issuing certificates;
(c) the requirements for certification practice statements;
(d) the responsibilities of the certification service provider;
(e) the liability of the certification
service provider;
(f) the records to be kept and the manner in which and length of time
for which they must be kept;
(g) requirements as to adequate certificate suspension and revocation
procedures; and
(h) requirements as to adequate notification procedures relating to
certificate suspension and revocation.

(1) The Accreditation Authority
may suspend or revoke an accreditation if it is satisfied that the authentication service provider
has failed or ceases to meet any of the requirements, conditions or
restrictions subject to which accreditation was granted under section 38 or recognition was given in terms of section 40.
(2) Subject to the provisions of subsection (3), the Accreditation
Authority may not suspend or revoke the accreditation or recognition
contemplated in subsection (1) unless it has­—

­(i) respond to the
allegations in writing; and
(ii) remedy the alleged breach within a reasonable time.

(3) The Accreditation Authority may suspend accreditation granted under
section 38 or recognition given under section
40 with immediate effect for a period not exceeding 90 days,
pending
implementation of the procedures required by subsection (2), if the
continued accreditation or recognition of the authentication service provider
is reasonably likely to result in irreparable harm to consumers or any person
involved in an electronic transaction in
the
Republic.
(4) An authentication
service provider whose products or services have been accredited in
terms of this Chapter may terminate such accreditation at any time,
subject to such conditions as may be agreed to at the time of
accreditation or thereafter.

­(a) the rights and
obligations of persons relating to the provision
of accredited products and services;
(b) the manner in which the Accreditation Authority must administer and
supervise compliance with those obligations;
(c) the procedure pertaining to the granting, suspension and revocation
of accreditation;
(d) fees to be paid;
(e) information security requirements or guidelines; and
(f) any other relevant matter which it is necessary or expedient to prescribe for the proper implementation of this
Chapter.

(a) for financial services,
including but not limited to, investment services, insurance and
reinsurance operations, banking services and operations relating to
dealings in securities;
(b) by way of an auction;
(c) for the supply of foodstuffs, beverages or other goods intended for
everyday consumption supplied to the home, residence or workplace of
the consumer;
(d) for services which began with the consumer's
consent before the end of the seven-day period referred to in section 44(1);
(e) where the price for the supply of goods or services is dependent on
fluctuations in the financial markets and which cannot be controlled by
the supplier;
(f) where the goods—

­(i) are made to the consumer's specifications;
(ii) are clearly personalised;
(iii) by reason of their nature cannot be returned; or
(iv) are likely to deteriorate or expire rapidly;

(g) where audio or video recordings or computer software were unsealed
by the consumer;
(h) for the sale of newspapers, periodicals, magazines and books;
(i) for the provision of gaming and lottery services; or
(j) for the provision of accommodation, transport, catering or leisure
services and where the supplier undertakes, when the transaction is concluded, to provide these
services on a specific date or within a specific period.

(3) This Chapter does not apply to a regulatory authority established
in terms of a law if that law prescribesconsumer protection provisions in respect of
electronic transactions.

Information
to be provided

43.

(1) A supplier offering goods or
services for sale, for hire or for exchange by way of an electronic transaction must make the following
information
available to consumers on the web site where such goods or services are offered:

(a) Its full name and legal
status;
(b) its physical address and telephone number;
(c) its web site address and e-mail address;
(d) membership of any self-regulatory or accreditation bodies to which
that supplier belongs or subscribes and the contact details of that
body;
(e) any code of conduct to which that supplier subscribes and how that
code of conduct may be accessed electronically by the consumer;
(f) in the case of a legal person, its registration number, the names
of its office bearers and its place of registration;
(g) the physical address where that supplier will receive legal service
of documents;
(h) a sufficient description of the main characteristics of the goods
or services offered by that supplier to enable a consumer
to make an informed decision on the proposed electronic transaction;
(i) the full price of the goods or services, including transport costs,
taxes and any other fees or costs;
(j) the manner of payment;
(k) any terms of agreement, including any guarantees, that will apply
to the transaction and how those terms may
be
accessed, stored and reproduced electronically by consumers;
(l) the time within which the goods will be dispatched or delivered or
within which the services will be rendered;
(m) the manner and period within which consumers
can access and maintain a full record of the transaction;
(n) the return, exchange and refund policy of that supplier;
(o) any alternative dispute resolution code to which that supplier
subscribes and how the wording of that code may be accessed
electronically by the consumer;
(p) the security procedures and privacy policy of that supplier in
respect of payment, payment information and personal information;
(q) where appropriate, the minimum duration of the agreement in the
case of agreements for the supply of products or services to be
performed on an ongoing basis or recurrently; and
(r) the rights of consumers in terms of section 44, where applicable.

(a) to review the entire
electronic transaction;
(b) to correct any mistakes; and
(c) to withdraw from the transaction,
before finally placing any order.

(3) If a supplier fails to comply with the provisions of subsection (1)
or (2), the consumer may cancel the transaction within 14 days of receiving the
goods or services under the transaction.
(4) If a transaction is cancelled in terms
of subsection (3)—­

(a) the consumer
must return the performance of the supplier or, where applicable, cease
using the services performed; and
(b) the supplier must refund all payments made by the consumer minus the direct cost of returning the
goods.

(5) The supplier must utilise a payment system that is sufficiently
secure with reference to accepted technological standards at the time
of
the transaction and the type of transaction concerned.
(6) The supplier is liable for any damage suffered by a consumer due to a failure by the supplier to
comply with subsection (5).

Cooling-off
period

44.

(1) A consumer
is entitled to cancel without reason and without penalty any transaction and any related credit agreement
for the supply—­

(a) of goods within seven days
after the date of the receipt of the goods; or
(b) of services within seven days after the date of the conclusion of
the agreement.

(2) The only charge that may be levied on the consumer
is the direct cost of returning
the goods.
(3) If payment for the goods or services has been effected prior to a consumer exercising a right referred to in
subsection (1), the consumer is entitled to a
full refund of such payment, which refund must be made within 30 days
of
the date of cancellation.
(4) This section must not be construed as prejudicing the rights of a consumer provided for in any other law.

(a) with the option to cancel
his
or her subscription to the mailing list of that person;
and
(b) with the identifying particulars of the source from which that person obtained the consumer'spersonal information, on request of
the consumer.

(2) No agreement is concluded where a consumer
has failed to respond to an unsolicited communication.
(3) Any person who fails to comply with or
contravenes subsection (1) is guilty of an offence and liable, on
conviction, to the penalties prescribed in section 89(1).
(4) Any person who sends unsolicited commercial
communications to a person who has advised the
sender that such communications are unwelcome, is guilty of an offence
and liable, on conviction, to the penalties prescribed
in section 89(1).

Performance

46.

(1) The supplier must execute
the order within 30 days after the day on which the supplier received
the order, unless the parties have agreed otherwise.
(2) Where a supplier has failed to execute the order within 30 days or
within the agreed period, the consumer may
cancel the agreement with seven days' written notice.
(3) If a supplier is unable to perform in terms of the agreement on the
grounds that the goods or services ordered are unavailable, the
supplier
must immediately notify the consumer of this
fact and refund any payments within 30 days after the date of such
notification.

Applicability
of foreign law

47.

The protection provided to consumers in this Chapter, applies irrespective
of the legal system applicable to the agreement in question.

Non-exclusion

48.

Any provision in an agreement
which excludes any rights provided for in this Chapter is null and void.

(1) This Chapter only applies to
personal information that has
been
obtained through electronic transactions.
(2) A data controller may voluntarily
subscribe to the principles outlined in section 51
by
recording such fact in any agreement with a data
subject.
(3) A data controller must subscribe to
all the principles outlined in section 51 and not
merely to parts thereof.
(4) The rights and obligations of the parties in respect of the breach
of the principles outlined in section 51 are
governed
by the terms of any agreement between them.

­(a) declare certain classes
of information which is of importance to the protection of the national
security of the Republic or the economic and social well-being of its
citizens to be critical data for the
purposes of this Chapter; and
(b) establish procedures to be followed in the identification of critical databases for the purposes of
this Chapter.

(a) requirements for the
registration of critical databases
with the Department or such other body as
the Minister may specify;
(b) procedures to be followed for registration; and
(c) any other matter relating to registration.

(2) For purposes of this Chapter, registration of a critical database means recording the
following information in a register maintained by the Department or by such other body as the Minister may specify:

­(a) the general management
of critical databases;
(b) access to, transfer and control of critical
databases;
(c) infrastructural or procedural rules and requirements for securing
the integrity and authenticity of critical
data;
(d) procedures and technological methods to be used in the storage or
archiving of critical databases;
(e) disaster recovery plans in the event of loss of critical databases or parts thereof; and
(f) any other matter required for the adequate protection, management
and control of critical databases.

(2) In respect of critical databases
administered by public bodies, all regulations contemplated in
subsection (1) must be made in consultation with all members of the
Cabinet affected by the provisions of this Chapter: Provided that the Minister must not record information contemplated
in section 54(2) if that information could
reasonably compromise­—

(3) This Chapter must not be construed so as to prejudice the right of
a public body to perform any function
authorised in terms of any other law.

Restrictions on
disclosure of information

56.

(1) Information contained in the
register provided for in section 54 must not be
disclosed to any person other than to employees
of
the Department who are responsible for the
keeping of the register.
(2) Subsection (1) does not apply in respect of information which is
disclosed—

­(a) to a relevant authority
which is investigating a criminal offence or for the purposes of any
criminal proceedings;
(b) to government agencies responsible for safety and security in the
Republic pursuant to an official request;
(c) to a cyber inspector for purposes
of section 57;
(d) pursuant to sections 11 and 30 of the Promotion of Access to
Information Act, 2000; or
(e) for the purposes of any civil proceedings which relate to the critical data or parts thereof.

A juristic person to be known as
the .za Domain Name Authority is hereby established for the purpose of
assuming responsibility for the .za
domain name space as from a date determined by the Minister by notice in the Gazette and by notifying all
relevant authorities.

Incorporation
of Authority

60.

(1) The Minister
must, within 12 months of the date of commencement of this Act, take
all
steps necessary for the incorporation of the Authority
as a company contemplated in section 21(1) of the Companies Act, 1973
(Act No. 61 of 1973).
(2) All citizens and permanent residents of the Republic are eligible
for membership of the Authority and must be
registered as members upon application and on payment of a nominal fee
to cover the cost of registration of membership and without having to
comply with any formality.
(3) For the purpose of the incorporation of the Authority
a person representing the Minister
and the members of Namespace ZA as at the date of application for
incorporation must be deemed to be members of the Authority.

Authority's
memorandum and articles of association

61.

(1) The memorandum of
association and articles of association of the Authority
must be consistent with this Chapter and, except where this Chapter
provides to the contrary, also with the Companies Act, 1973 (Act No. 61
of 1973).
(2) Notwithstanding the Companies Act, 1973, an amendment to the
memorandum of association or articles of association affecting any
arrangement made by any provision of this Chapter, does not have any
legal force and effect unless the Minister has
consented in writing to such an amendment, which consent may not be
withheld unreasonably.
(3) No fee is payable in terms of the Companies Act, 1973, in respect
of the reservation of the name of the company, the registration of the
said memorandum and articles and the issue of the certificate to
commence business.
(4) The memorandum and articles of association of the Authority must, amongst others, provide for—

­(a) the rules for the
convening and conducting of meetings of the Board, including the quorum
required for and the minutes to be kept of those meetings;
(b) the manner in which decisions are to be made;
(c) the establishment of any division of the Authority
to perform specialised functions;
(d) the establishment and functioning of committees, including a
management committee;
(e) the co-opting by the Board or a committee of any person
to assist the Authority or committee in the
consideration of any particular matter;
(f) the preparation by the Board of an annual business plan in terms of
which the activities of the Authority are
planned annually;
(g) the banking and investment of funds by the Board;
(h) provisions to regulate the manner in which, and procedures whereby,
expertise from any person is obtained in order
to
further the objects of the Authority;
(i) the determination through arbitration of any dispute concerning the
interpre­tation of the memorandum and articles of association of
the Authority;
(j) the delegation of powers and assignment of duties to directors,
committees and employees: Provided that the Board may­—

(i) not be divested of any power
or duty by virtue of the delegation or assignment; and
(ii) vary or set aside any decision made under any delegation or in
terms of any assignment;

(k) the procedures and criteria for the establishment and
disestablishment of second level domains
and for delegations to such domains;
(l) appeal mechanisms;
(m) the tenure of directors;
(n) the circumstances under and the manner in which a directorship is
terminated;
(o) criteria for the disqualification of directors;
(p) the method of determining the allowances to be paid to directors
for attending meetings; and
(q) the powers and duties of directors.

Part 2

Governance and
staffing of Authority

Board of directors of
Authority

62.

(1) The Authority
is managed and controlled by a Board of Directors consisting of nine
directors, one of whom is the chairperson.
(2) The process of appointment is the following:

(a) The Minister
must appoint an independent selection panel consisting of five persons, who command public respect for their
fair-mindedness, wisdom and understanding of issues concerning the Internet, culture, language, academia and
business, the names of whom must be placed in a notice in the Gazette;
(b) the Minister must invite nominations for
members of the Board from the public through newspapers which have
general circulation throughout the Republic, on-line news services,
radio and by notice in the Gazette;
(c) nominations must be made to the panel established in terms of
paragraph (a);
(d) the panel must recommend to the Minister
names of nine persons to be appointed to the
Board taking into account the sectors of stakeholders listed in
subsection (3)(b);
(e) if the Minister is not satisfied that the
recommendations of the panel comply with subsection (3) the Minister may request the panel to review its
recommendations and make new ones;
(f) the Minister must appoint the members of
the Board, and publish the names of those appointed in the Gazette;
(g) the Minister must appoint the Chairperson
of the Board from among the names recommended by the panel.

(3)

(a) The Board, when viewed
collectively, must be broadly representative of the demographics of the
country, including having regard to gender and disability.
(b) Sectors of stakeholders contemplated in subsection (2)(d) are­—

(4) Directors must be persons who are committed
to fairness, openness and accountability and to the objects of this Act.
(5) All directors serve in a part-time and non-executive capacity.
(6) Any vacancy on the Board must be filled in accordance with
subsections (2) and (3).

Staff
of Authority

63.

(1) The chief executive officer
of the Authority appointed by the Board must
perform any work incidental to the functions of the Authority.
(2) The chief executive officer must be assisted by staff appointed by
the Board.
(3) The Board must determine the conditions of service, remuneration
and service benefits of the chief executive officer and the staff.
(4) If the chief executive officer is for any reason unable to perform
his or her functions, the Board may designate a person
in the service of the Authority to act as the
acting chief executive officer until the chief executive officer is
able
to resume office.

(a) may conduct such
investigations as it may consider necessary;
(b) must conduct research into and keep abreast of developments in the
Republic and elsewhere on the domain
name
system;
(c) must continually survey and evaluate the extent to which the .za domain name space meets the
needs
of the citizens of the Republic; and
(d) may, from time to time, issue information on the registration of domain names in the Republic.

(a) liaise, consult and
co-operate with any person or other authority;
and
(b) appoint experts and other consultants on such conditions as the Authority may determine.

(7) The Authority must respect and uphold the
vested rights and interests of parties that were actively involved in
the management and administration of the .za domain name space at the date of
its establishment: Provided that­—

(a) such parties must be granted
a period of six months during which they may continue to operate in
respect of their existing delegated sub-domains; and
(b) after the expiry of the six-month period, such parties must duly
apply to be licensed registrars and registries as provided for in this Part.

Part 4

Finances
and reporting

Finances of Authority

66.

(1) All money received by the Authority must be deposited in a banking account
in the name of the Authority with a bank
established under the Banks Act, 1990 (Act No. 94 of 1990), or a mutual
bank established under the Mutual Banks Act, 1993 (Act No. 124 of 1993).
(2) The chief executive officer is the accounting officer of the Authority and must ensure that—

­(a) proper record of all
the
financial transactions, assets and
liabilities of the Authority are kept; and
(b) as soon as possible, but not later than three months after the end
of a financial year, accounts reflecting the income and expenditure of
the Authority and a
balance sheet of the assets and liabilities of the Authority
as at the end of that financial year are prepared and submitted to the
Board and Minister.

(a) the capital invested in or
lent to the Authority;
(b) money appropriated by Parliament for that purpose;
(c) income derived from the sale or other commercial exploitation of
its licenses, approvals, products, technology, services or expertise in
terms of this Act;
(d) loans raised by the Authority;
(e) the proceeds of any sale of assets;
(f) income or interest earned on the Authority's
cash balances or on money invested by it; and
(g) money received by way of grant, contribution, donation or
inheritance from any source inside or outside the Republic.

(4) The funds of the Authority must be utili
sed to meet the expenditure incurred by the Authority
in connection with its functioning, business and operations in terms of
this Act.
(5)

(a) The money may be so utilised
only as provided for in a statement of the Authority's
estimated income and expenditure, that has been approved by the Minister.
(b) Money received by way of grant, contribution, donation or
inheritance in terms of subsection (3)(g), must be utilised in
accordance with any conditions imposed by the grantor, contributor,
donor or testator concerned.

(6)

(a) The Board must in each
financial year, at a time determined by the Minister,
submit to the Minister for approval a
statement
of the Authority's estimated income and
expenditure for the next financial year.
(b) The Board may at any time during the course of a financial year,
submit a supplementary statement of estimated income and expenditure of
the Authority for that financial year, to the
Minister for approval.
(c) The Minister may grant the approval of the
statement referred to in paragraph (a), with the agreement of the
Minister of Finance.
(d) The Authority may not incur any
expenditure in excess of the total amount approved under paragraph (c).

(7) The Board may establish a reserve fund for any purpose that is
connected with the Authority's functions
under
this Act and has been approved by the Minster, and may allocate to the
reserve fund the money that may be made available for the purposes in
the statement of estimated income and expenditure or supplementary
statement contem­plated in subsection (6).
(8) To the extent that the Authority is
provided with start-up capital by the State, the Authority
may, at the election of the Minister of Finance, be made subject to the
Public Finance Management Act, (Act No.1 of 1999), until such time as
the Authority, to the satisfaction of the
Minister of Finance, becomes self-sustaining through the alternative
sources of revenue provided for in subsection (3).

Reports

67.

As soon as practicable after the
end of every financial year, the Board must submit a report on its
activities during that year to the Minister
who
must table that report in Parliament.

­(a) the requirements which registries and registrars
must meet in order to be licensed, including objective standards
relating to operational accuracy, stability, robustness and efficiency;
(b) the circumstances and manner in which registrations may be
assigned, registered, renewed, refused, or revoked by the registries with due regard to the express
recognition of the right of groups and members of groups within the
Republic to identify with, use or communicate cultural, linguistic,
geographical, indigenous or any other expressions of heritage including
any visual or audible elements or attributes thereof;
(c) pricing policy;
(d) provisions for the restoration of a domain
name registration and penalties for late payments;
(e) the terms of the domain name
registration agreement which registries and registrars must adopt and use in registering domain names, including issues in respect of
privacy, consumer protection and alternative
dispute resolution;
(f) processes and procedures to avoid unfair and anti-competitive
practices, including bias to, or preferential treatment of actual or
prospective registrants,registries or registrars,
protocols or products;
(g) requirements to ensure that each domain name
contains an administrati ve and technical contact;
(h) the creation of new sub-domains;
(i) procedures for ensuring monitoring of compliance with the
provisions of this Act and the regulations provided for in this
Chapter,
including regular .za domain name
space
technical audits;
(j) such other matters relating to the .za
domain name space as it may be necessary to prescribe
to achieve the objectives of this Chapter; and
(k) policy to be applied by the Authority.

Part 6

Alternative dispute
resolution

Alternative dispute
resolution

69.

(1) The Minister,
in consultation with the Minister of Trade and Industry, must make
regulations for an alternative mechanism for the resolution of disputes
in respect of the .za domain name
space.
(2) The regulations must be made with due regard to existing
international precedent.
(3) The regulations may prescribe—

(a) procedures for the
resolution
of certain types of disputes determined in the regulations and which
relate to a domain name registration;
(b) the role which the Authority must fulfil
in administering the dispute resolution procedure;
(c) the appointment, role and function of dispute resolution
adjudicators;
(d) the procedure and rules which must be followed in adjudicating
disputes;
(e) unlawful actions or activities in respect of domain
names, distinguishing between criminal and civil liability;
(f) measures to prevent unlawful actions or activities with respect to domain names;
(g) the manner, costs of and time within which a determination must be
made;
(h) the implementation of determinations made in terms of the dispute
resolution procedure;
(i) the limitation of liability of registrars
and registries for implementing a
determination;
and
(j) the enforcement and publication of determinations.

(1) The Minister
may, on application by an industry representative body for service
providers by notice in the Gazette,
recognise such body for purposes of section 72.
(2) The Minister may only recognise a
representative body referred to in subsection (1) if the Minister is satisfied that—­

(a) its members are subject to a
code of conduct;
(b) membership is subject to adequate criteria;
(c) the code of conduct requires continued adherence to adequate
standards of conduct; and
(d) the representative body is capable of monitoring and enforcing its
code of conduct adequately.

Conditions
for eligibility

72.

The limitations on liability
established by this Chapter apply to a service provider only if—

(a) the service provider is a
member of the representative body referred to in section
71; and
(b) the service provider has adopted and implemented the official code
of conduct of that representative body.

Mere conduit

73.

(1) A service provider is not
liable for providing access to or for operating facilities for information systems or transmitting,
routing or storage of data messages via an
information system under its
control, as
long as the service provider—­

(a) does not initiate the
transmission;
(b) does not select the addressee;
(c) performs the functions in an automatic, technical manner without
selection of the data; and
(d) does not modify the data contained in the
transmission.

(2) The acts of transmission, routing and of provision of access
referred to in subsection (1) include the automatic, intermediate and
transient storage of the information transmitted in so far as this
takes
place—

­(a) for the sole purpose of
carrying out the transmission in the information
system;
(b) in a manner that makes it ordinarily inaccessible to anyone other
than anticipated recipients; and
(c) for a period no longer than is reasonably necessary for the
transmission.

(3) Notwithstanding this section, a competent court may order a service
provider to terminate or prevent unlawful activity in terms of any
other
law.

Caching

74.

(1) A service provider that
transmits data provided by a recipient of the
service via an information system
under its control is not liable for the automatic, intermediate and
temporary storage of that data, where the purpose
of storing such data is to make the onward
transmission of the data more efficient to other
recipients of the service upon their request, as long as the service
provider—­

(a) does not modify the data;
(b) complies with conditions on access to the data;
(c) complies with rules regarding the updating of the data,
specified in a manner widely recognised and used by industry;
(d) does not interfere with the lawful use of technology, widely
recognised and used by industry, to obtain information on the use of
the data; and
(e) removes or disables access to the data it has
stored upon receiving a take-down notice referred to in section
77.

(2) Notwithstanding this section, a competent court may order a service
provider to terminate or prevent unlawful activity in terms of any
other
law.

Hosting

75.

(1) A service provider that
provides a service that consists of the storage of data
provided by a recipient of the service, is not liable for damages
arising from data stored at the request of the
recipient of the service, as long as the service provider—­

(a) does not have actual
knowledge that the data message or an
activity relating to the data message is
infringing the rights of a third party; or
(b) is not aware of facts or circumstances from which the infringing
activity or the infringing nature of the data
message is apparent; and
(c) upon receipt of a take-down notification referred to in section 77, acts expeditiously to remove or to disable
access to the data.

(2) The limitations on liability established by this section do not
apply to a service provider unless it has designated an agent to
receive
notifications of infringement and has provided through its services,
including on its web sites in locations
accessible to the public, the name, address, phone number and e-mail address of the agent.
(3) Notwithstanding this section, a competent court may order a service
provider to terminate or prevent unlawful activity in terms of any
other
law.
(4) Subsection (1) does not apply when the recipient of the service is
acting under the authority or the control of the service provider.

Information
location tools

76.

A service provider is not liable
for damages incurred by a person if the service
provider refers or links users to a web page
containing an infringing data message or
infringing activity, by using information location tools, including a
directory, index, reference, pointer, or hyperlink,
where the service provider—­

(a) does not have actual
knowledge that the data message or an
activity relating to the data message is
infringing the rights of that person;
(b) is not aware of facts or circumstances from which the infringing
activity or the infringing nature of the data
message is apparent;
(c) does not receive a financial benefit directly attributable to the
infringing activity; and
(d) removes, or disables access to, the reference or link to the data message or activity within a reasonable
time after being informed that the data message
or the activity relating to such data message,
infringes the rights of a person.

Take-down
notification

77.

(1) For the purposes of this
Chapter, a notification of unlawful activity must be in writing, must
be
addressed by the complainant to the service provider or its designated
agent and must include—­

(a) the full names and address
of
the complainant;
(b) the written or electronic signature
of the complainant;
(c) identification of the right that has allegedly been infringed;
(d) identification of the material or activity that is claimed to be
the subject of unlawful activity;
(e) the remedial action required to be taken by the service provider in
respect of the complaint;
(f) telephonic and electronic contact details, if any, of the
complainant;
(g) a statement that the complainant is acting in good faith;
(h) a statement by the complainant that the information in the
take-down notification is to his or her knowledge true and correct; and

(2) Any person who lodges a notification of
unlawful activity with a service provider knowing that it materially
misrepresents the facts is liable for damages for wrongful take-down.
(3) A service provider is not liable for wrongful take-down in response
to a notification.

No general obligation to
monitor

78.

(1) When providing the services
contemplated in this Chapter there is no general obligation on a
service
provider to—­

(a) monitor the data
which it transmits or stores; or
(b) actively seek facts or circumstances indicating an unlawful
activity.

(2) The Minister may, subject to section 14 of
the Constitution, prescribe procedures for
service providers to—

­(a) inform the competent
public authorities of alleged illegal activities under taken or
information provided by recipients of their service; and
(b) to communicate to the competent authorities, at their request,
information enabling the identification of recipients of their service.

Savings

79.

This Chapter does not
affect—­

(a) any obligation founded on an
agreement;
(b) the obligation of a service provider acting as such under a
licensing or other regulatory regime established by or under any law;
(c) any obligation imposed by law or by a court to remove, block or
deny access to any data message; or
(d) any right to limitation of liability based on the common law or the
Constitution.

(2) Any statutory body, including the South African Police Service,
with powers of inspection or search and seizure in terms of any law may
apply for assistance from a cyber inspector
to assist it in an investigation: Provided that­—

(a) the requesting body must
apply to the Department for assistance in
the prescribed manner; and
(b) the Department may authorise such
assistance on certain conditions.

Power to inspect, search
and seize

82.

(1) A cyber
inspector may, in the performance of his or her functions, at any
reasonable time, without prior notice and on the authority of a warrant
issued in terms of section 83(1), enter any
premises
or access an information system that
has a bearing on an investigation and­—

(a) search those premises or
that information system;
(b) search any person on those premises if there
are reasonable grounds for believing that the person
has personal possession of an article, document or record that has a
bearing on the investigation;
(c) take extracts from, or make copies of any book, document or record
that is on or in the premises or in the information
system and that has a bearing on the investigation;
(d) demand the production of and inspect relevant licences and
registration certificates as provided for in any law;
(e) inspect any facilities on the premises which are linked or
associated with the information system
and which have a bearing on the investigation;
(f) have access to and inspect the operation of any computer or
equipment forming part of an information
system and any associated apparatus or material which the cyber inspector has reasonable cause to
suspect is or has been used in connection with any offence;
(g) use or cause to be used any information
system or part thereof to search any data
contained in or available to such information
system;
(h) require the person by whom or on whose
behalf
the cyber inspector has reasonable
cause
to suspect the computer or information
system is or has been used, or require any person
in control of, or otherwise involved with the operation of the computer
or information system to provide him
or her with such reasonable technical and other assistance as he or she
may require for the purposes of this Chapter; or
(i) make such inquiries as may be necessary to ascertain whether the
provisions of this Act or any other law on which an investigation is
based, have been complied with.

(2) A person who refuses to co-operate or
hinders
a person conducting a lawful search and seizure
in
terms of this section is guilty of an offence.
(3) The Criminal Procedure Act, 1977 (Act No. 51 of 1977), applies with
the necessary changes to searches and seizures in terms of this Act.
(4) For purposes of this Act, any reference in the Criminal Procedure
Act, 1977, to "premises" and "article" includes an information system as well as data messages.

Obtaining
warrant

83.

(1) Any magistrate or judge may,
upon a request from a cyber inspector
but
subject to the provisions of section 25 of the Criminal Procedure Act,
1977 (Act No. 51 of 1977), issue a warrant required by a cyber inspector in terms of this Chapter.
(2) For the purposes of subsection (1), a magistrate or judge may issue
a warrant where­—

(a) an offence has been
committed
within the Republic;
(b) the subject of an investigation is­—

(i) a South African citizen or
ordinarily resident in the Republic; or
(ii) present in the Republic at the time when the warrant is applied
for; or

(c) information pertinent to the investigation is accessible from
within the area of jurisdiction of the court.

(3) A warrant to enter, search and seize may be issued at any time and
must­—

(a) identify the premises or information system that may be entered
and searched; and
(b) specify which acts may be performed thereunder by the cyber inspector to whom it is issued.

(4) A warrant to enter and search is valid until­—

(a) the warrant has been
executed;
(b) the warrant is cancelled by the person who
issued it or in that person's absence, by a person with similar authority;
(c) the purpose for issuing it has lapsed; or
(d) the expiry of one month from the date on which it was issued.

(5) A warrant to enter and search premises may be executed only during
the day, unless the judge or magistrate who issued it, authorises that
it may be executed at any other time.

Preservation of
confidentiality

84.

(1) Except for the purpose of
this Act or for the prosecution of an offence or pursuant to an order
of
court, a person who has, pursuant to any powers
conferred under this Chapter, obtained access to any information may
not
disclose such information to any other person.
(2) Any person who contravenes subsection (1) is
guilty of an offence and liable on conviction to a fine or to
imprisonment for a period not exceeding six months.

CHAPTER XIIICYBER CRIME

Definition

85.

In this Chapter, unless the
context indicates otherwise—
­ "access" includes the actions of a person
who, after taking note of any data, becomes aware
of the fact that he or she is not authorised to access that data and still continues to access that data.

Unauthorised
access to, interception of or interference with data

86.

(1) Subject to the Interception
and Monitoring Prohibition Act, 1992 (Act No. 127 of 1992), a person who intentionally accesses or intercepts any
data without authority or permission to do
so, is
guilty of an offence.
(2) A person who intentionally and without
authority to do so, interferes with data in a way
which causes such data to be modified, destroyed
or
otherwise rendered ineffective, is guilty of an offence.
(3) A person who unlawfully produces, sells,
offers to sell, procures for use, designs, adapts for use, distributes
or possesses any device, including a computer program or a component,
which is designed primarily to overcome security measures for the
protection of data, or performs any of those acts
with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item
to contravene this section, is guilty of an offence.
(4) A person who utilises any device or computer
program mentioned in subsection (3) in order to unlawfully overcome
security measures designed to protect such data or
access thereto, is guilty of an offence.
(5) A person who commits any act described in
this section with the intent to interfere with access to an information system so as to constitute
a
denial, including a partial denial, of service to legitimate users is
guilty of an offence.

Computer-related
extortion, fraud and forgery

87.

(1) A person
who performs or threatens to perform any of the acts described in section 86, for the purpose of obtaining any unlawful
proprietary advantage by undertaking to cease or desist from such
action, or by undertaking to restore any damage caused as a result of
those actions, is guilty of an offence.
(2) A person who performs any of the acts
described in section 86 for the purpose of
obtaining
any unlawful advantage by causing fake data to be
produced with the intent that it be considered or acted upon as if it
were authentic, is guilty of an offence.

Attempt, and aiding and
abetting

88.

(1) A person
who attempts to commit any of the offences referred to in sections
86 and 87 is guilty of an offence and is liable
on conviction to the penalties set out in section 89(1)
or (2), as the case may be.
(2) Any person who aids and abets someone to
commit any of the offences referred to in sections 86
and 87 is guilty of an offence and is liable on
conviction to the penalties set out in section 89(1)
or (2), as the case may be.

Penalties

89.

(1) A person
convicted of an offence referred to in sections 37(3),40(2), 58(2), 80(5),82(2) or 86(1), (2) or (3) is
liable to a fine or imprisonment for a period not exceeding 12 months.
(2) A person convicted of an offence referred to
in section 86(4) or (5) or section
87
is liable to a fine or imprisonment for a period not exceeding five
years.

CHAPTER XIVGENERAL
PROVISIONS

Jurisdiction
of courts

90.

A court in the Republic trying
an offence in terms of this Act has jurisdiction where­—
(a) the offence was committed in the Republic;
(b) any act of preparation towards the offence or any part of the
offence was committed in the Republic, or where any result of the
offence has had an effect in the Republic;
(c) the offence was committed by a South African citizen or a person with permanent residence in the Republic or
by a person carrying on business in the
Republic;
or
(d) the offence was committed on board any ship or aircraft registered
in the Republic or on a voyage or flight to or from the Republic at the
time that the offence was committed.

Saving
of common law

91.

This Chapter does not affect
criminal or civil liability in terms ofthe common law.

Repeal
of Act 57 of 1983

92.

The Computer Evidence Act, 1983,
is hereby repealed.

Limitation
of liability

93.

Neither the State, the Minister, nor any employee of the State is liable
in respect of any act or omission in good faith and without gross
negligence in performing a function in terms of this Act.

Regulations

94.

The Minister
may make regulations regarding any matter that mayor must be prescribed in terms of this Act or any matter
which it is necessary or expedient to prescribe
for the proper implementation or administration of this Act.

Short
title and commencement

95.

This Act is called the
Electronic Communications and Transactions Act, 2002, and comes into
operation on a date fixed by the President by proclamation in the Gazette.